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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .1 7(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 7/23/09 
has been entered. 

Claims 1-19 have been amended and are pending. 

Response to Amendment 

Double Patenting 

Examiner acknowledges Applicant's response to the double patenting rejection. 
Examiner will maintain that rejection as cited in the Office Action filed 9/8/08 until either 
the claims are amended enough to differentiate the conflicting claims or a terminal 
disclaimer is filed. 



Claim Rejections - 35 USC §112 

Claim rejections under 35 USC 112 have been withdrawn due to amendments. 
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Response to Arguments 

Applicant's arguments with respect to claims 1-19 have been considered but are 
moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 



Claims 1-11 and 13-19 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over USP Application Publication 2003/01 14144 to Minemura in view of 
USP 6,832,230 to Zilliacus et al., hereinafter Zilliacus. 



As per claim 1 , Minemura teaches an authentication method of at least one 
application working in a equipment [terminal] connected by a network to a control server 
[server/service company], said equipment being locally connected to a security module 
[authentication module], said application being at least one of loaded loadable and 
executable via an application execution environment of the equipment and being 
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adapted to use resources stored in the security module, the method comprising (see 
abstract): 

analyzing and verifying by the control server of said data (0192), 

generating by the control server a cryptogram comprising a digest of the 
application (0084-0085 and Fig. 6), and instructions intended for said module (0125), 

transmitting the application and the cryptogram, via the network and the 
equipment, to the security module (0085), and 

verifying, by the security module, the application by comparing the digest 
extracted from the cryptogram received with a digest determined by the security module 
(0085), 

wherein, during at least one of initialization and activation of the application, the 
security module executes the instructions extracted from the cryptogram and, according 
to a result of the verification of the application, performs at least one of releasing and 
blocking access of certain resources of said security module to the application (0085). 
Minemura is silent in explicitly disclosing that the reception by the control server, via the 
network, of data comprising at least the identifier of the equipment and the identifier of 
the security module and that the cryptogram from the server includes these entities as 
well. Minemura does disclose teaching identifying data to the server from the terminal 
but not these specific entities. Zilliacus discloses sending these specific entities, the 
SIM and IMEI information to a control to authorize and authenticate a user terminal for 
downloading of content (col. 7, lines 15-25). Minemura teaches that the server send 
authorization information to terminal whereby it compares said information to 
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information stored in the TRM in order to detect tampering (0088). The IMEI and SIM 
information are stored in a 'TRM'. Therefore it would have been obvious to send the SIM 
and IMEI to security module as well. Minemura teaching focuses on making sure that 
downloaded applications have not been tampered. Zilliacus emphasizes the mobile 
terminal's authentication to the server. One or ordinary skill in the art could have 
combined the two teachings to increase security whereby mutual authentication used to 
protect both the server and terminal. 

As per claim 2, Minemura teaches the equipment is a mobile equipment of 
mobile telephony (0013). 

As per claim 3, Minemura does not explicitly the network is a mobile network of 
at least one GSM or GPRS or UMTS (0013). Zilliacus teaches the network is a mobile 
network of at least one GSM or GPRS or UMTS (col. 5, lines 20-35). Minemura's 
invention is in the mobile telephony art. GSM is one specific type of mobile 
communication. Therefore it would have been obvious to one of ordinary skill in the art 
at the time of the invention to implement Minemura's system on a GSM network. 

As per claim 4, Minemura teaches the security module is a subscriber module 
inserted into the mobile equipment of mobile telephony of the SIM card type (001 3). 

As per claim 5, Minemura teaches the identification of at least one of the set 
mobile equipment and subscriber module is carried out from the identifier of the mobile 
equipment and from the identifier of the subscriber module suited to a subscriber to the 
network (0193). 
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As per claim 6, Minemura teaches the instructions included in the cryptogram 
received by the security module condition the use of the applications according to 
criteria established previously by at least one of the operator, the application supplier, 
and the user of the equipment (0125, 0141). 

As per claim 7, Minemura teaches the criteria define limits of use of an 
application according to the risks associated with at least one of the software of said 
application and with the hardware of the equipment that the operator desires to take into 
account (0125, 0141 and solves the problem of 0008). 

As per claim 8, Minemura teaches the verification of the application with the 
cryptogram is carried out at the time of at least one of the first initialization and the first 
use of said application (0210). 

As per claim 9, Minemura teaches the verification of the application with the 
cryptogram is periodically carried out at a given rate [expiry rate] according to 
instructions originating from the control server (0143-0144). 

As per claim 10, Minemura teaches the verification of the application with the 
cryptogram is carried out at the time of each initialization of said application on the 
equipment (0144). 

As per claim 1 1 , Minemura teaches the cryptogram is generated with the aid of 
an asymmetrical or symmetrical encryption key from a data set (0199) containing, 
among other data, the identifier of the equipment, the identifier of the security module, 
an identifier of the application (0141 ), the digest of the application calculated with an 
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unidirectional hash function and identifiers of the resources of the security module and 
instructions for locking/releasing of resources of the security module (0191). 

As per claim 13, Minemura teaches the security module transmits to the control 
server, via the equipment and the network, a confirmation message when said security 
module has accepted or refused a cryptogram of an application (0087, provision of 
service). 

As per claim 14, Minemura teaches the cryptogram is transmitted to the security 
module at the same time as the application is loaded into the equipment via the 
execution environment of the applications (0210). 

As per claim 15, Minemura teaches the application, once loaded into the 
equipment from the control server via the network, requests a cryptogram from the 
server at the time of its initialization and transmits said cryptogram to the security 
module (0089), the confirmation message of acceptance or refusal of the cryptogram 
being transmitted by the security module to the server via the application (0210). 

As per claim 16, Minemura teaches the equipment is a Pay-TV decoder or a 
computer to which the security module is connected (0078). 

As per claim 17, Minemura teaches a security module [authentication module] 
comprising resources intended to be accessed locally by at least one application 
installed in an equipment [terminal] connected to a network (see abstract), 

said equipment including means for reading and transmitting data (0085), 
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said module further including means for reception, storage, and analysis of a 
cryptogram and of the at least one application received with the cryptogram (Figure 6) 

wherein the cryptogram includes, a digest of said application (0193) and 
instructions (0125), 

means for verification of said at least one application (0192), and 

means for extraction and execution of the instructions contained in the 
cryptogram, the means for extraction and execution performing at least one of blocking 
certain resources of the security module to the at least one application according to a 
result of the verification of the at least one application (0085-0089). 

Minemura is silent in explicitly disclosing that the data includes at least the 
identifier of the equipment and the identifier of the security module and that the 
cryptogram from the server includes these entities as well. Minemura does disclose 
teaching identifying data to the server from the terminal but not these specific entities. 
Zilliacus discloses sending these specific entities, the SIM and IMEI information to a 
control to authorize and authenticate a user terminal for downloading of content (col. 7, 
lines 15-25). Minemura teaching focuses on making sure that downloaded applications 
have not been tampered. Zilliacus emphasizes the mobile terminal's authentication to 
the server. One or ordinary skill in the art could have combined the two teachings to 
increase security whereby mutual authentication used to protect both the server and 
terminal. 
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As per claim 18, Minemura teaches the security module [IC] is at least one being 
of the "subscriber module" and "SIM card" type intended to be connected to a mobile 
equipment (0013). 

As per claim 19, Minemura teaches the security module is a subscriber 
identification module [IC] inserted into the mobile equipment of mobile telephony (0013). 

Claim 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Minemura and Zilliacus as applied to claim 1 1 and in further view of USP Application 
Publication 2002/0012433 and to Haverinen et al, hereinafter Haverinen. 

As per claim 12, Minemura is silent in disclosing a predictable variable in the 
cryptogram. Minemura does teach using a random number to prevent replay attacks 
(0192). Haverinen teaches that timestamps can be used as a substitute to random 
number in authentication to prevent replay attacks. Therefore it would have been 
obvious to one of ordinary skill in the art at the time of the invention to use the 
timestamps in the cryptograms as a means to prevent malicious replay attacks by a 
third party. Timestamps are known to be an adequate method of performing the same 
function of a random number in the art of computer security. 



Conclusion 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is 
(571)270-7316. The examiner can normally be reached on Monday - Thursday, 7:30am 
- 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, William Korzuch can be reached on 571-272-7589. The fax 
phone number for the organization where this application or proceeding is assigned is 
571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/M. R. V./ 

Examiner, Art Unit 2431 
/William R. Korzuch/ 

Supervisory Patent Examiner, Art Unit 2431 
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